httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lee" <...@unassemble.co.uk>
Subject Re: Restricting types of CGI programs
Date Fri, 02 Aug 2002 09:20:59 GMT
Sorry, my memory is playing up again.  The script I used was as follows

#!/bin/sh
echo "Content-Type: text/plain"
echo
echo
ls -l

This works fine on my own apache web server.

----- Original Message -----
From: "Lee" <lee@unassemble.co.uk>
To: <users@httpd.apache.org>
Sent: Friday, August 02, 2002 10:10 AM
Subject: Re: Restricting types of CGI programs


> Cheers for that.
>
> I was just curious as to if/how it was possible.
>
> I had a site hosted on a FreeBSD server once and I was then running Perl
> scripts (which ran fine) but then I wanted to see if would run any others,
> such as sh or bash.  When I tried I just got "Internal Server Error",  as
> far as I could tell the scripts were correct, in fact all one particular
one
> did was
>
> #!/bin/sh
> ls -l
>
> And that was it.
>
> Regards Lee
>
> ----- Original Message -----
> From: "Boyle Owen" <Owen.Boyle@swx.com>
> To: <users@httpd.apache.org>
> Sent: Friday, August 02, 2002 9:50 AM
> Subject: RE: Restricting types of CGI programs
>
>
> >From: Lee [mailto:lee@unassemble.co.uk]
> >
> >I would like to try and restrict the types of CGI scripts that
> >can be run
> >from my webserver (Apache 1.3.26  & 1.3.26 with mod_ssl
> >running on FreeBSD
> >4.6).  Does anyone know if this is possible?
> >Basically I want to restrict users to only being able to run
> >Perl scripts.
>
> I can't think of an easy way to do this... The CGI engine just grabs the
> file and passes it to the OS which tries to execute it - whether it loads
an
> interpreter (perl or shell-script) or executes it directly (compiled
binary)
> depends on the file contents. Apache deson't have the capability to look
> into the file and recognise its architecture.
>
> A workaround would be to write a program which would:
>
> - parse httpd.conf to find the locations of all CGI progs (ScriptAlias or
> AddHandler lines)
> - read each CGI prog and, using clever pattern matching, decide if it is a
> "legal" program
> - if it finds an "illegal" program, remove it, or (less draconian) switch
> off the execute permission and alert the admin (You).
>
> This monitor program could be invoked to run every minute by crond or
could
> be a daemon...
>
> Presumably you want to do this so you can audit their code and check they
> are not doing anything dangerous? Be warned that anything you can do in C,
> you can do in Perl - there is nothing intrinsically "safe" about Perl.
Also,
> regards readability, there used to be a competition in the Perl Journal
> where contestants had to write a program which looked like it did one
thing
> but, in fact, did another. Failing that, they got points for a program
which
> was impossible to read. This was the Obfuscated Perl Contest. So I
wouldn't
> be too confident that you will always be able to screen out dodgy code -
it
> is quite easy to make write-only Perl :-)
>
> Rgds,
>
> Owen Boyle
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message